US10904293B2 - System and method for providing network and computer firewall protection with dynamic address isolation to a device - Google Patents

Abstract

A computer performs dynamic address isolation. The computer comprises an application associated with an application address, a network interface coupled to receive incoming data packets from and transmit outgoing data packets to an external network, a network address translation engine configured to translate between the application address and a public address, and a driver for automatically forwarding the outgoing data packets to the network address translation engine to translate the application address to the public address, and for automatically forwarding the incoming data packets to the network address translation engine to translate the public address to the application address. The computer may communicate with a firewall configured to handle both network-level security and application-level security.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No. 16/006,597 filed Jun. 12, 2018, now U.S. Pat. No. 10,284,603, which is a continuation of U.S. patent application Ser. No. 15/653,376 filed Jul. 18, 2017, now U.S. Pat. No. 10,057,295, which is a continuation of U.S. patent application Ser. No. 15/201,309 filed Jul. 1, 2016, now U.S. Pat. No. 9,756,079, which is a continuation of U.S. patent application Ser. No. 13/745,591 filed Jan. 18, 2013, now U.S. Pat. No. 9,391,956, which is a continuation of U.S. patent application Ser. No. 12/130,914 filed May 30, 2008, now U.S. Pat. No. 8,365,272, which claims priority to U.S. Provisional Patent Application Ser. No. 60/940,882 filed May 30, 2007, which are hereby incorporated by reference herein.

TECHNICAL FIELD

This invention relates generally to computer security, and more particularly provides a system and method for providing data and device security between external and host devices.

BACKGROUND

The internet is an interconnection of millions of individual computer networks owned by governments, universities, nonprofit groups, companies and individuals. While the internet is a great source of valuable information and entertainment, the internet has also become a major source of system damaging and system fatal application code, such as “viruses,” “spyware,” “adware,” “worms,” “Trojan horses,” and other malicious code.

To protect users, programmers design computer and computer-network security systems for blocking malicious code from attacking both individual and network computers. On the most part, network security systems have been relatively successful. A computer that connects to the internet from within an enterprise's network typically has two lines of defense. The first line of defense includes a network security system, which may be part of the network gateway, that includes firewalls, antivirus, antispyware and content filtering. The second line of defense includes individual security software on individual machines, which is not typically as secure as the network security system and is thus more vulnerable to attacks. In combination, the first and second lines of defense together provide pretty good security protection. However, when a device connects to the internet without the intervening network security system, the device loses its first line of defense. Thus, mobile devices (e.g., laptops, desktops, PDAs such as RIM's Blackberry, cell phones, any wireless device that connects to the internet, etc.) when traveling outside the enterprise network are more vulnerable to attacks.

FIG. 1 illustrates anexample network system100 of the prior art.Network system100 includes adesktop105 and amobile device110, each coupled to an enterprise'sintranet115. Theintranet115 is coupled via a network security system120 (which may be a part of the enterprise's gateway) to theuntrusted internet130. Accordingly, thedesktop105 andmobile device110 access theinternet130 via thenetwork security system120. Asecurity administrator125 typically manages thenetwork security system120 to assure that it includes the most current security protection and thus that thedesktop105 andmobile device110 are protected from malicious code.Demarcation135 divides the trustedenterprise140 and the untrustedpublic internet130. Because thedesktop105 and themobile device110 are connected to theinternet130 via thenetwork security system120, both have two lines of defense (namely, thenetwork security system120 and the security software resident on the device itself) against malicious code from theinternet130. Of course, although trusted, theintranet115 can also be a source of malicious code.

FIG. 2 illustrates anexample network system200 of the prior art, when themobile device110 has traveled outside the trustedenterprise140 and reconnected to theuntrusted internet130. This could occur perhaps when the user takesmobile device110 on travel and connects to theinternet130 at a cybercafe, at a hotel, or via any untrusted wired or wireless connection. Accordingly, as shown, themobile device110 is no longer protected by the first line of defense (by the network security system120) and thus has increased its risk of receiving malicious code. Further, by physically bringing themobile device110 back into the trustedenterprise140 and reconnecting from within, themobile device110 risks transferring any malicious code received to theintranet115.

As the number of mobile devices and the number of attacks grow, mobile security is becoming increasingly important. The problem was emphasized in the recent Info-Security Conference in New York on Dec. 7-8, 2005. However, no complete solutions were presented.

Similarly, when a host device is connected to an external device such as a USB flash drive, iPod, external hard drive, etc., both devices are vulnerable to receipt of malicious code or transfer of private data.FIG. 11 illustrates an example prior artdata exchange system1100 that includes a host computer (host)1105 and anexternal device1110. Thehost1105 includes an external device (ED)port1115, such as a USB port, for receiving theexternal device1110. Thehost1105 also includesED drivers1120 for performing enumeration and enabling communications between theexternal device1110 and thehost1105. Theexternal device1110 includes an ED plug, such as a USB plug, for communicating with theED port115. Both of thehost1105 andexternal device1110 are vulnerable to receipt of malicious code or transfer of private data.

Accordingly, there is a need for a system and method of providing security to host and external devices.

SUMMARY

In one embodiment, the present invention provides a computer comprising an application associated with an application address; a network interface coupled to receive incoming data packets from and transmit outgoing data packets to an external network; a network address translation engine configured to translate between the application address and a public address; and a driver for automatically forwarding the outgoing data packets to the network address translation engine to translate the application address to the public address, and for automatically forwarding the incoming data packets to the network address translation engine to translate the public address to the application address. The network address translation engine may be part of the driver or part of a firewall. The firewall may be located on a mobile security system. The network address translation engine may be configured to use Dynamic Host Configuration Protocol. The computer may be configured to send data packets identifying the application to a firewall, and the firewall may be configured to handle both network-level security and application-level security.

In one embodiment, the present invention provides a system comprising a network interface; a firewall in communication with the network interface configured to handle both network-level security and application-level security; and a computer in communication with the firewall, having one or more applications, and being configured to send data packets identifying the one or more applications to the firewall. Each data may be is associated with one of the one or more applications. Each data packet may comprise data identifying the application associated with the data packet. The firewall may be configured to use the data identifying the application associated with the data packet to handle application-level security, to create a data packet subset by removing the data identifying the application from the data packet, and to send the data packet subset to an external network. The network interface may be configured to receive incoming data from an external network, and to route the incoming data to the firewall. Each application may be associated with at least one address. The firewall may be configured to dynamically isolate the address from an external network. The firewall may be configured to dynamically isolate the address from the external network through the use of Dynamic Host Configuration Protocol.

In one embodiment, the present invention provides a method within a personal computer of processing incoming data associated with a public address, the method comprising receiving the data from an external network; translating the public address into an internal address associated with an application; analyzing the data for malicious code; and routing the data to the application if the data does not comprise malicious code. The analyzing step may comprise analyzing the data for malicious code at both the network level and the application level. The translating step may use Dynamic Host Configuration Protocol.

In one embodiment, the present invention provides a method within a computer of processing outgoing data, the method comprising receiving outgoing data from an application, the application being associated with an internal address; translating the internal address into a public address; and routing at least a subset of the outgoing data to an external network using the public address, thereby dynamically isolating the internal address from the external network. The translating step may use Dynamic Host Configuration Protocol. The method may further comprise configuring the outgoing data into one or more data packets; associating each of the one or more data packets with the application; and embedding application-identifying data in each of the one or more data packets. The method may further comprise creating one or more data packet subsets by removing the application-identifying data from each of the one or more data packets, wherein the routing step comprises routing the one or more data packet subsets to the external network.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a prior art network system in a first state.

FIG. 2 is a block diagram of a prior art network system in a second state.

FIG. 3 is a block diagram of a network system in accordance with an embodiment of the present invention.

FIG. 4 is a block diagram illustrating details of a computer system in accordance with an embodiment of the present invention.

FIGS. 5 and 5A are block diagrams illustrating details of the mobile security system in accordance with an embodiment of the present invention.

FIG. 6 is a block diagram illustrating details of the mobile security system in accordance with a Microsoft Window's embodiment.

FIG. 7 is a block diagram illustrating details of a smart policy updating system in accordance with an embodiment of the present invention.

FIG. 8 is a block diagram illustrating details of network security measures relative to the OSI layers.

FIG. 9 is a block diagram illustrating details of the communication technique for spreading security code to the mobile security systems.

FIGS. 10A-10C are block diagrams illustrating various architectures for connecting a mobile device to a mobile security system, in accordance with various embodiments of the present invention.

FIG. 11 is a block diagram illustrating a prior art data exchange system.

FIG. 12 is a block diagram illustrating a secure data exchange system, in accordance with an embodiment of the present invention.

FIG. 13 is a block diagram illustrating details of a security device, in accordance with an embodiment of the present invention.

FIG. 14 is a block diagram illustrating details of a security system, in accordance with an embodiment of the present invention.

FIG. 15 is a block diagram illustrating a secure data exchange system, in accordance with another embodiment of the present invention.

FIG. 16 is a flowchart illustrating a method of secure data exchange between a host and an external device, in accordance with an embodiment of the present invention.

FIG. 17 is a block diagram illustrating a prior art network system having a hardware-based firewall.

FIG. 18 is a block diagram illustrating a prior art network system having a software-based firewall.

FIG. 19 is a block diagram illustrating a network system that performs dynamic address isolation, in accordance with an embodiment of the present invention.

FIG. 20 is a block diagram illustrating a prior art network system having separate network and personal firewalls.

FIG. 21 is a block diagram of a network system comprising a hybrid firewall in accordance with an embodiment of the present invention.

FIG. 22 is a block diagram illustrating a network system comprising a hybrid firewall and configured according to the embodiment of the present invention shown inFIG. 10A.

FIG. 23 is a flowchart of a method of routing a data communication from an external network to an application, in accordance with an embodiment of the present invention.

FIG. 24 is a flowchart of a method of routing a data communication from an application to an external network, in accordance with an embodiment of the present invention.

FIG. 25 is a flowchart of a method of routing a data communication from an external network to an application, in accordance with an embodiment of the present invention.

FIG. 26 is a flowchart of a method of routing a data communication from an application to an external network, in accordance with an embodiment of the present invention.

DETAILED DESCRIPTION

The following description is provided to enable any person skilled in the art to make and use the invention, and is provided in the context of a particular application and its requirements. Various modifications to the embodiments may be possible to those skilled in the art, and the generic principles defined herein may be applied to these and other embodiments and applications without departing from the spirit and scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown, but is to be accorded the widest scope consistent with the principles, features and teachings disclosed herein.

An embodiment of the present invention uses a small piece of hardware that connects to a mobile device and filters out attacks and malicious code. The piece of hardware may be referred to as a “mobile security system” or “personal security appliance.” Using the mobile security system, a mobile device can be protected by greater security and possibly by the same level of security offered by its associated corporation/enterprise.

FIG. 3 illustrates anetwork system300 in accordance with an embodiment of the present invention.Network system300 includes adesktop305, a firstmobile device310a, and a secondmobile device310b. The firstmobile device310ais illustrated as within the enterprise network340 at this time and is coupled via amobile security system345ato the enterprise'sintranet315. Thedesktop305 and secondmobile device310bare also within the enterprise network340 but in this embodiment are coupled to theintranet315 without an interveningmobile security system345 such asmobile security system345b. Theintranet315 is coupled via a network security system320 (which may be part of the enterprise's gateway) to theuntrusted internet330. Accordingly, the firstmobile device310a, the secondmobile device310band thedesktop305 access theuntrusted internet330 via thenetwork security system320. Each may also be protected by a personal security system resident thereon (not shown). A thirdmobile device310cis currently outside the enterprise network340 and is coupled via amobile security system345bto theuntrusted internet330. The thirdmobile device310 may be in use by an employee of the trusted enterprise340 who is currently on travel. Asecurity administrator325 manages themobile security system345a, themobile security system345b, and thenetwork security system320 to assure that they include the most current security protection. One skilled in the art will recognize that the same security administrator need not manage the various devices. Further, the security administrator could be the user and need not be within the trusted enterprise340.

Demarcation335 divides the trusted enterprise340 and the untrusted publiclyaccessible internet330. Each ofmobile device310a,310band310cmay be referred to generically asmobile device310, although they need not be identical. Eachmobile security system345aand345bmay be referred to generically asmobile security system345, although they need not be identical.

As shown, although themobile device310chas traveled outside the trusted enterprise340, themobile device310cconnects to theuntrusted internet330 via themobile security system345band thus retains two lines of defense (namely, themobile security system345band the security software resident on the device itself). In this embodiment, themobile security system345 effectively acts as a mobile internet gateway on behalf of themobile device310c. In an embodiment, themobile security system345 may be a device dedicated to network security. In an embodiment, eachmobile security system345 may support multiplemobile devices310, and possibly only registeredmobile devices310, e.g., those belonging to enterprise340.

Each mobile security system345 (e.g.,345a,345b) may be a miniature server, based on commercial hardware (with Intel's Xscale as the core), Linux OS and network services, and open-source firewall, IDS/IPS and antivirus protection. Themobile security system345 may be based on a hardened embedded Linux 2.6.

In this embodiment, because thesecurity administrator325 is capable of remotely communicating with themobile security system345b, IT can monitor and/or update the security policies/data/engines implemented on themobile security system345b. Thesecurity administrator325 can centrally manage all enterprise devices, remotely or directly. Further, thesecurity administrator325 andmobile security systems345 can interact to automatically translate enterprise security policies into mobile security policies and configuremobile security systems345 accordingly. Because themobile security system345 may be generated from the relevant security policies of the enterprise340, themobile device310ccurrently traveling may have the same level of protection as thedevices305/310 within the trusted enterprise340.

Themobile security system345 may be designed as an add-on to existing software security or to replace all security hardware and software on a traveling mobile device. These security applications will preferably operate on different OSI layers to provide maximum security and malicious code detection, as shown in the example system illustrated inFIG. 8. Operating on the lower OSI layers and doing TCP/IP packets analysis only (by screening firewall or router packets) would miss virus and/or worm behavior. Also, many modern viruses use mobile code implemented on a “higher” level than the 7^thOSI layer (Application—HTTP, FTP, etc.) and therefore cannot be interpreted at the packet layer nor at the application layer. For example, applying antivirus analysis only at the session or transport layer on a malicious Java Script (that is included in an HTML page), trying to match the signature with packets and without understanding the content type (Java Script), will not detect the malicious nature of the Java Script. To offer greater protection, themobile security system345 may act as corporate class security appliance and engage different security applications based on the content type and the appropriate OSI layers, (or even a “higher” level if content is encapsulated in the application layer). Themobile security system345 may be configured to perform content analysis at different OSI layers, e.g., from the packet level to the application level. It will be appreciated that performing deep inspection at the application level is critical to detect malicious content behavior and improve detection of viruses, worms, spyware, Trojan horses, etc. The following software packages may be implemented on the mobile security system345:

Firewall and VPN—including stateful and stateless firewalls, NAT, packet filtering and manipulation, DOS/DDOS, netfilter, isolate user mobile devices from the internet and run VPN program on the device, etc.

Optional web accelerator and bandwidth/cache management based on Squid.

IDS/IPS—Intrusion detection and prevention system based on Snort. Snort is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol- and anomaly-based inspections.

Antivirus and antispyware based on ClamAV; additional AV and AS engines, e.g., McAfee, Kaspersky, Pandamay, may be offered for additional subscription fees.

Malicious Content Detection—on the fly heuristics that perform content analysis to detect malicious content before having signatures. This will be based on a rule base and updated rules and will be content dependent scanning.

URL Categorization Filtering—based on a commercial engine, such as Surfcontrol, Smart Filters or Websense. May provide around 70 categories of URLs such as gambling, adult content, news, webmail, etc. Themobile device345 may apply different security policies based on the URL category, e.g., higher restriction and heuristics for Gambling or Adult content web sites, etc.

FIG. 4 is a block diagram illustrating details of anexample computer system400, of which eachdesktop305,mobile device310,network security system320,mobile security system345, andsecurity administrator325 may be an instance.Computer system400 includes aprocessor405, such as an Intel Pentium® microprocessor or a Motorola Power PC® microprocessor, coupled to acommunications channel410. Thecomputer system400 further includes aninput device415 such as a keyboard or mouse, anoutput device420 such as a cathode ray tube display, acommunications device425, adata storage device430 such as a magnetic disk, andmemory435 such as Random-Access Memory (RAM), each coupled to thecommunications channel410. Thecommunications interface425 may be coupled directly or via amobile security system345 to a network such as the internet. One skilled in the art will recognize that, although thedata storage device430 andmemory435 are illustrated as different units, thedata storage device430 andmemory435 can be parts of the same unit, distributed units, virtual memory, etc.

Thedata storage device430 and/ormemory435 may store an operating system440 such as the Microsoft Windows XP, the IBM OS/2 operating system, the MAC OS, UNIX OS, LINUX OS and/orother programs445. It will be appreciated that a preferred embodiment may also be implemented on platforms and operating systems other than those mentioned. An embodiment may be written using JAVA, C, and/or C++ language, or other programming languages, possibly using object oriented programming methodology.

One skilled in the art will recognize that thecomputer system400 may also include additional information, such as network connections, additional memory, additional processors, LANs, input/output lines for transferring information across a hardware channel, the internet or an intranet, etc. One skilled in the art will also recognize that the programs and data may be received by and stored in the system in alternative ways. For example, a computer-readable storage medium (CRSM)reader450 such as a magnetic disk drive, hard disk drive, magneto-optical reader, CPU, etc. may be coupled to thecommunications bus410 for reading a computer-readable storage medium (CRSM)455 such as a magnetic disk, a hard disk, a magneto-optical disk, RAM, etc. Accordingly, thecomputer system400 may receive programs and/or data via theCRSM reader450. Further, it will be appreciated that the term “memory” herein is intended to cover all data storage media whether permanent or temporary.

FIG. 5 is a block diagram illustrating details of themobile security system345 in accordance with an embodiment of the present invention.Mobile security system345 includes adapters/ports/drivers505,memory510, aprocessor515, a preboot flash/ROM memory module520 storing a secure version of the mobile security system's operating system and other applications,network connection module525,security engines530,security policies535,security data540,remote management module550,distribution module555, andbackup module560. Although these modules are illustrated as within themobile security system345, one skilled in the art will recognize that many of them could be located elsewhere, e.g., on thesecurity administrator325 or on third-party systems in communication with themobile security system345. Themobile security system345 may be in a pocket-size, handheld-size or key-chain size housing, or possibly smaller. Further, themobile security system345 may be incorporated within themobile device310.

The adapters/ports/drivers505 include connection mechanisms (including software, e.g., drivers) for USB, Ethernet, WiFi, WiMAX, GSM, CDMA, BlueTooth, PCMCIA and/or other connection data ports on themobile security system345. In one embodiment, the adapters/ports/drivers505 may be capable of connection tomultiple devices310 to provide network security to themultiple devices310.

Memory510 andprocessor515 execute the operating system and applications on themobile security system345. In this example, thepreboot flash520 stores the operating system and applications. At boot time, the operating system and applications are loaded from thepreboot flash520 intomemory510 for execution. Since the operating system and applications are stored in thepreboot flash520, which cannot be accessed during runtime by the user, the operating system and applications in thepreboot flash520 are not corruptible. Should the copy of the operating system and applications inmemory510 be corrupted, e.g., by malicious code, the operating system and applications may be reloaded into thememory510 from thepreboot flash520, e.g., upon restart. Although described as stored within thepreboot flash520, the OS and applications can be securely stored within other read-only memory devices, such as ROM, PROM, EEPROM, etc.

As shown inFIG. 5A, memory (includingmemory510 and preboot flash520) on themobile security system345 may be divided into the following zones: read onlymemory570;random access memory575 for storing a copy of the OS, kernel and security applications;runtime environment580; anddatabase585 for storing application data, log files, etc. Upon each “hard” restart, the boot loader (resident in read only memory570) of themobile security system345 copies the kernel and security applications (a fresh unchanged copy) from read onlymemory570 torandom access memory575. This causes a clean version of the OS and applications to be loaded intorandom access memory575 each time. That way, if a special attack onmobile security system345 is developed, the attack will be unable to infect the system, since the OS and applications are precluded from accessing read onlymemory570 during runtime. Further, any attack that does reachmemory510 will be able to run only once and will disappear upon a hard restart. A triggering mechanism may be available to restart themobile security system345 automatically upon infection detection.

Thenetwork connection module525 enables network connection, e.g., to theinternet330 or theintranet315 via network communication hardware/software including WiFi, WiMAX, CDMA, GSM, GPRS, Ethernet, modem, etc. For example, if themobile device310 wishes to connect to theinternet330 via a WiFi connection, the adapters/ports/drivers505 may be connected to the PCI port, USB port or PCMCIA port of themobile device310, and thenetwork connection module525 of themobile security system345 may include a WiFi network interface card for connecting to wireless access points. Using thenetwork connection module425, themobile security system345 may communicate with the network as a secure gateway for themobile device310. Other connection architectures are described inFIGS. 10A-10C.

Thesecurity engines530 execute security programs based on thesecurity policies535 and onsecurity data540, both of which may be developed by IT managers.Security engines530 may include firewalls, VPN, IPS/IDS, antivirus, antispyware, malicious content filtering, multilayered security monitors, Java and bytecode monitors, etc. Eachsecurity engine530 may have dedicatedsecurity policies535 andsecurity data540 to indicate which procedures, content, URLs, system calls, etc. theengines530 may or may not allow. Thesecurity engines530,security policies535 andsecurity data540 may be the same as, a subset of, and/or developed from the engines, policies and data on thenetwork security system320.

To provide a higher security level provided by antivirus and antispyware software, thesecurity engines530 on eachmobile security system345 may implement content analysis and risk assessment algorithms. Operating for example at OSI Layer 7 and above (mobile code encapsulated within Layer 7), these algorithms may be executed by dedicated High Risk Content Filtering (HRCF) that can be controlled by a rules engine and rule updates. The HRCF will be based on a powerful detection library that can perform deep content analysis to verify real content types. This is because many attacks are hidden within wrong mime types and/or may use sophisticated tricks to present a text file type to a dangerous active script or ActiveX content type. The HRCF may integrate with a URLcategorization security engine530 for automatic rule adjustment based on the URL category. In one embodiment, when the risk level increases (using the described mechanism) themobile security system345 may automatically adjust and increase filtering to remove more active content from the traffic. For example, if greater risk is determined, every piece of mobile code, e.g., Java script, VB script, etc. may be stripped out.

Three aspects for integration with corporate policy server legacy systems include rules, LDAP and active directory, and logging and reporting as discussed below. In one embodiment, a policy import agent running on thesecurity administrator325 will access the rule base of Checkpoint Firewall-1 and Cisco PIX Firewalls and import them into a local copy. A rule analysis module will process the important rules and will offer out-of-the-box rules and policies formobile security systems345. This proposed policy will offer allmobile security systems345 a best fit of rules that conform the firewall policy of the enterprise340. The agent will run periodically to reflect any changes and generate updates formobile security system345policies535. The LDAP and Active Directory may be integrated with the directory service to maintainmobile security system345security policies535 that respond to the enterprise's directory definitions. For example, a corporate policy for LDAP user Group “G” may automatically propagate to allmobile security systems345 in “G” group.Mobile security system345 local logs and audit trails may be sent in accordance to a logging and reporting policy to a central log stored at thesecurity administrator325. Using a web interface, IT may be able to generate reports and audit views related to allmobile device310 users, their internet experiences, and attempts to bring infected devices back to the enterprise340. IT will be able to forward events and log records into legacy management systems via SYSLOG and SNMP Traps.

Thesecurity engines530 may perform weighted risk analysis. For example, thesecurity engine530 may analyze HTTP, FTP, SMTP, POP3, IM, P2P, etc. including any traffic arriving from theinternet330. Thesecurity engine530 may assign a weight and rank for every object based on its type, complexity, richness in abilities, source of the object, etc. Thesecurity engine530 may assign weight based on the source using a list of known dangerous or known safe sources. Thesecurity engine530 may assign weight to objects based on the category of the source, e.g., a gambling source, an adult content source, a news source, a reputable company source, a banking source, etc. Thesecurity engine530 may calculate the weight, and based on the result determine whether to allow or disallow access to the content, the script to run, the system modification to occur, etc. Thesecurity engine530 may “learn” user content (by analyzing for a predetermined period of time the general content that the user accesses) and accordingly may create personal content profiles. The personal content profile may be used to calibrate the weight assigned to content during runtime analysis to improve accuracy and tailor weighted risk analysis for specific user characteristics.

In some embodiments, thesecurity engines530,security policies535 andsecurity data540 may enable bypassing themobile security system345. Thesecurity policy535, set by thesecurity administrator325, may include a special attribute to force network connection through themobile security system325 when outside the trusted enterprise340. Thus, if this attribute is set “on.” when amobile device310 attempts to connect to theinternet330 without themobile security system345 and not from within the trusted enterprise340, all data transfer connections including LAN connection, USB-net, modem, Bluetooth, WiFi, etc. may be closed. Themobile device310 may be totally isolated and unable to connect to any network, including theinternet330.

In one embodiment, to enable this, when first connecting themobile security system345 to themobile device310 using for example the USB cable (for both power and USB connection creation), the USB plug & play device driver will be sent into themobile device310. The installed driver may be “Linux.inf” which allows a USB-net connection for themobile security system345. This connection allows themobile security system345 to access theinternet330 via the USB port and using themobile device310 network connection plus additional code (“the connection client”). In a Windows example, the connection client may be installed at the NDIS level of themobile device310 above all the network interface cards of every network connection as shown inFIG. 6. The implementation will be as an NDIS Intermediate (IM) Driver or NDIS-Hooking Filter Driver. Both implementations may be at the kernel level, so that an end user cannot stop or remove it. When starting themobile device310, the connection client may attempt to connect to thesecurity administrator325 or thenetwork security system320 locally within the trusted enterprise340. If the node is not found (finding via VPN is considered as not found in local LAN), the connection client will assume it is working from outside the trusted enterprise340 and expects to find themobile security system345 connected, e.g., via USB-net or other connection mechanism. If themobile security system345 is not found, the connection client may avoid any communication to any network connection. By a policy definition, this behavior can be modified to allow communication to the enterprise340 via VPN installed in themobile device310. Similarly, in case of amobile device system345 failure, all traffic may be disabled, except for the VPN connection into the enterprise340.

It will be appreciated that NDIS is one possible implementation of intercepting traffic at the kernel level. For example, in another embodiment, the system may hook Winsock or apply other ways that may be in future Windows versions.

In an embodiment where themobile security system345 supports multiplemobile devices310, thesecurity engines530,security policies535 andsecurity data540 may be different for each mobile device310 (e.g., based on for example user preferences or IT decision). Alternatively, it can apply thesame engines530,policies535 anddata540 for allconnected devices310.

Theremote management module550 enables communication with security administrator325 (and/or other security administrators), and enables local updating ofsecurity engines530,security policies535,security data540 including signatures and other applications. In one embodiment, modification to thesecurity policies535 anddata540 can be done by thesecurity administrator325 only. Theremote management module550 of themobile security system345 may receive updates from an update authorities device (UAD), e.g., on thesecurity administrator325 via a secured connection. A UAD may operate on an update server at a customer IT center located on theinternet330 to forward updates tomobile security systems345 that possibly do not belong to anenterprise540 in charge of managing updates. A UAD may operate on amobile security system345.Security engine530 updates may modify the antivirus engine DLL, etc. OS and security application updates may be implemented only from within theenterprise540 while connecting to thesecurity administrator325 and via an encrypted and authenticated connection.

Thesecurity administrator325 can modify URL black and white lists for remote support to traveling users. In case of false positives, thesecurity administrator325 may allow access to certain URLs, by bypassing the proactive heuristics security but still monitoring by firewall, antivirus, IPS/IDS, etc. Additional remote device-management features may enable thesecurity administrator325 to perform remote diagnostics, access local logs, change configuration parameters, etc. on themobile security system345. Thesecurity administrator325 may delegate tasks to a helpdesk for support.

Theremote management module550 may communicate with a wizard (e.g., wizard745), which may be on thesecurity administrator325, as illustrated inFIG. 7, or on another system. Details of thewizard745 and details of the communication schemes between theremote management module550 and thewizard745 are described below with reference toFIG. 7.

Thedistribution module555 enables distribution of updates, e.g.,security policy535 updates including rule updates,security data540 updates including signature updates,security engine530 updates, application/OS updates, etc. by themobile security system345 to N othermobile security systems345. A routing table identifying the N othermobile security systems345 to whom to forward the updates may be provided to thedistribution module555 to enablesystem345 tosystem345 communication. Updates may be implemented according to policies set by thesecurity administrator325. When forwarding updates, thedistribution module555 acts as a UAD.

Eachmobile security system345 may obtain its routing table with security information updates, periodically, at predetermined times, upon login, etc. The routing tables may be maintained on a server, e.g., thesecurity administrator325 or anothermobile security system345. In one embodiment, themobile security systems345 may contact the server to retrieve the routing tables. Alternatively, the server may push the routing tables to themobile security systems345.

Thedistribution module555 may enable rapid updates as shown inFIG. 9. Currently, all commercial antivirus products available do not update devices faster than viruses spread. To assure that a new virus attack does not spread faster than for example signature updates, eachmobile security system345 may be an active UAD. In one embodiment, as shown inFIG. 9, eachmobile security system345 is responsible for forwarding the signature updates to fourother devices345. As one skilled in the art will recognize, alldevices345 need to forward to the same number ofother devices345.Multiple devices345 may be responsible for forwarding to thesame device345. When necessary,offline devices345 being activated may poll the server, e.g., thesecurity administrator325, for routing table updates. Many other updating techniques are also possible.

Thebackup module560 may constantly back-up image and changes of the boot sector and system files of themobile device310 into theflash memory520 or into another persistent memory device. That way, in case of major failure, including a loss of the system or boot sector of themobile device310, themobile security system345 may be identified as a CD-ROM during reboot and may launch the backup module (or separate program) to restore the boot sector and system files on themobile device310, thereby recovering themobile device310 without the need for IT support. In an embodiment where thenetwork security system345 supports multiplemobile devices310, thebackup module560 may contain separate boot sector and system files for each of themobile devices310, if different.

FIG. 7 is a block diagram illustrating details of a smartpolicy updating system700 in accordance with an embodiment of the present invention.System700 includes thesecurity administrator325 coupled to thenetwork security system320 and to themobile security system345. Thenetwork security system320 includessecurity engines705, including anantivirus engine715, an IPS/IDS engine720, afirewall engine725, and other security engines. Thenetwork security system320 also includes security policies anddata710, including antivirus policies anddata730, IPS/IDS policies anddata735, firewall policies anddata740, and other policies and data. Similarly, themobile security system345 includes anantivirus engine755, an IPS/IDS engine760, afirewall engine765, and other engines. Themobile security system345 also includes security policies anddata535/540, including antivirus security policies anddata770, IPS/IDS security policies anddata775, firewall security policies anddata780, and other security policies and data.

Thesecurity administrator325 includes awizard745 for enabling substantially automatic initial and possibly dynamic setup of thesecurity engines530,security policies535 andsecurity data540 on themobile security system345. In one embodiment, thewizard745 may automatically load allsecurity engines705 and policies anddata710 of thenetwork security system320 as thesecurity engines530 and policies anddata535/540 on themobile security system345. In another embodiment, thewizard745 may include allsecurity engines705 and policies anddata710 except those known to be irrelevant, e.g., those related to billing software used by accounting, those relating to web software running only on the web servers, etc. In another embodiment, theengines530 would need to be loaded by an IT manager, and would not be loaded automatically by thewizard745.

In one embodiment, thewizard745 may determine whether themobile security system345 requires aparticular security engine530, e.g., anantivirus engine755, IPS/IDS engine760,firewall engine765, etc. If so determined, then thewizard745 would load theengine530 onto themobile security system345. Thewizard745 would then determine which policies and data sets, e.g., some forantivirus engine755, some for the IPS/IDS engine760, some for thefirewall engine765, etc. are important to themobile security system345. Thewizard745 will then determine which of the antivirus policies anddata730 on thenetwork security system320 are relevant to the antivirus policies anddata770 on themobile security system345, which of the IPS/IDS policies anddata735 on thenetwork security system320 are relevant to the IPS/IDS policies anddata775 on themobile security system345, which of the firewall policies anddata740 on thenetwork security system320 are relevant to the firewall policies anddata780 on themobile security system345, and which of the other policies and data on thenetwork security system320 are relevant to the policies and data on themobile security system345. As stated above, thewizard745 may determine that allsecurity engines705 or just a subset are needed on themobile security system345. Thewizard745 may determine that all policies anddata710 for a given engine type or just a subset should be forwarded. Thewizard745 may determine which relevant policies anddata710 should be forwarded to themobile security system345 based on rules developed by an IT manager, based on item-by-item selection during the setup procedure, etc. Alternative to thewizard745, an IT manager can setup theengines530 and policies anddata535/540 on themobile security system345 without thewizard745.

Thesecurity administrator325 may also include anupdate authorities device750. Theupdate authorities device750 may obtain security system updates (e.g., signature updates) and may send the updates to thenetwork security system320 and to themobile security system345. One skilled in the art will recognize that the updates to thenetwork security system320 and the updates to themobile security system345 need not be the same. Further, theupdate authorities device750 may obtain the updates from security managers, security engine developers, antivirus specialists, etc. Theupdate authorities device750 may forward the updates to allnetwork security systems320 and allmobile security systems345, or may forward routing tables to allmobile security systems345 and the updates only to an initial set ofmobile security systems345. The initial set ofmobile security systems345 may forward the updates to themobile security systems345 identified in the routing tables in a P2P manner, similar to the process illustrated inFIG. 9. As stated above, eachmobile security system345 operating to forward updates is itself acting as anupdate authorities device750.

Other applications may be included on themobile security system345. For example, add-on applications for recurring revenue from existing customers may include general email, anti-spam, direct and secured email delivery, information vaults, safe skype and other instant messaging services, etc.

Email Security and Anti-spam—implementation of mail relay on mobile security systems345 (including the web security engine above) and a local spam quarantine (based on SendMail or similar process) may implement a complete mail security suite (SMTP and POP3) including anti-spam with real time indexing (via online web spam quarries). Users may have access to the quarantine to review spam messages, release messages, modify and custom spam rules, etc., via a web interface.

Direct and Secured Email Delivery based on mail relay will allow themobile security system345 to send user email directly from onemobile security system345 to anothermobile security system345 without using in route mail servers. This allows corporate users to send emails that need not travel in the internet, thus leaving trace and duplicates on different unknown mail servers in route. This combined with the ability to use a secured pipe between two mobile security systems is valuable to corporations. Without such methodology, people could trace emails exchange without accessing to the enterprise's mail server, by tracking down copies in intermediate mail servers that were used to deliver the messages.

Information Vault—Application to encrypt and store end user information on themobile security system345 may be available only to authorized users via a web interface and a web server implemented oil every mobile security system345 (e.g., BOA, Apache, etc.)

Safe Skype and Other IM—implementing an instant messaging client on themobile security system345 can guarantee that the instant messaging system or P2P application has no access to data on themobile device310. Adding a chipset of AC/97 to provide a sound interface on themobile security system325 could allow users to talk and receive calls directly from/to themobile security system325.

Although not shown, a small battery may be included with themobile security system345. This battery may be charged by the USB connection during runtime or using the power adapter at any time. The battery may guarantee proper shutdown, e.g., when user disconnects the USB cable from themobile security system345. It will be signaled by the system which will launch applications and system shutdown. This will ensure a proper state of the file system and flashing open files buffers.

A multi-layered defense and detection abilities is required. This may be done by a special code that is constantly monitoring the scanning result by different systems (antivirus, IDS/IPS, firewall, antispyware, URL category, etc.) and at different levels to build a puzzle and identify an attack even if it's not recognized by each of the individual subsystems. By doing this, themobile security system345 will maintain and in some cases even improve the security level provided within theenterprise540.

One available benefit of themobile security system345 is its ability to enforce the policy of theenterprise540 on the end user while they are traveling or working from home. Since themobile security system345 uses similar security engines and policy as when connected from within theenterprise540 and since the end user cannot access theinternet330 without it (except via VPN connection into the enterprise540), IT may be capable of enforcing its security policy beyond the boundaries of theenterprise540. The OS may be under the entire supervision of IT, while themobile security system345 OS acts as an end user OS under his control. This resolves the problems of who controls what and how security and productivity face minimal compromise.

A standalone version of themobile security system345 may offer the same functionality, and may provide a local management interface via web browser. Attractive to home users and small offices that lack an IT department, themobile security system345 enables the end user to launch a browser, connect to themobile security system345, set the different policies (update policy, security rules, etc.) including modifying the white and black URL lists, etc. There is also an opportunity to provide end users with a service of remote management of themobile security systems345 by subscription.

FIGS. 10A, 10B and 10C illustrate three example architectures of connecting amobile security system345 to amobile device310, in accordance with various embodiments of the present invention. InFIG. 10A, themobile device310 is coupled to themobile security system345 via USB connections1015 and1020 and is coupled to theinternet330 via aNIC card1005. Themobile device310 receives internet traffic from theinternet330 via itsNIC card1005. A kernel-level redirector1010 (e.g., via NDIS, Winsock, etc.) on themobile device310 automatically redirects the interact traffic via the USB connections1015 and1020 to themobile security system345, which scans, cleans and returns the cleaned internet traffic to themobile device310 via the USB connections1015 and1020. InFIG. 10B, themobile device310 is coupled to themobile security system345 viaUSB connections1025 and1030. Themobile security system345 includes a NIC card1035 for receiving internet traffic from theinternet330. Themobile security system345 scans, cleans and forwards the internet traffic via theUSB connections1025 and1030 to themobile device310. InFIG. 10C, themobile device310 is coupled to themobile security system345 viaNIC cards1040 and1045. Themobile security system345 receives internet traffic from theinternet330 via itsNIC card1045. Themobile security system345 scans, cleans and forwards the internet traffic wirelessly via theNIC cards1040 and1045 to themobile device310. Other connection architectures are also possible.

FIG. 12 is a block diagram illustrating a securedata exchange system1200, in accordance with an embodiment of the present invention. The securedata exchange system1200 includes a host computer (host)1205 coupled via asecurity device1210 to anexternal device1110. Thehost1205 may include a laptop, desktop, PDA, mobile phone, or other processor-based device. Theexternal device110 may be any external device with memory such as a USB drive, external hard drive, PDA, music player, cell phone, etc. Thesecurity device1210 is communicatively coupled to thehost1205 via an ED port1225 (USB, serial, parallel, Firewire, Ethernet, WiFi, WiMAX, GSM, CDMA, BlueTooth, PCMCIA and/or other connection) and an ED plug1230 (USB, serial, parallel, Firewire, Ethernet, WiFi, WiMAX, GSM, CDMA, BlueTooth, PCMCIA and/or other connection). Theexternal device1110 is communicatively coupled to thesecurity device1210 via an ED port1235 (USB, serial, parallel Firewire, Ethernet, WiFi, WiMAX, GSM, CDMA, BlueTooth, PCMCIA and/or other connection) and ED plug1120 (USB, serial, parallel, Firewire, Ethernet, WiFi, WiMAX, GSM, CDMA, BlueTooth, PCMCIA and/or other connection). The connector type of theED port1225 and ED plug1230 combination may be different that the connector type of theED port1235 and ED plug1120 combination. In one embodiment, allports1225/1235 and plugs1230/1120 are USB. Although theplugs1120/1230 are illustrated as male andports1225/11235 arc shown as female, one skilled in the art will recognize that the opposite is possible (plugs1120/1230 may be female andports1225/1235 may be male).

Thehost1205 includesED drivers1220 for performing enumeration and enabling communication with thesecurity device1210. Similarly, thesecurity device1210 includesED drivers1245 for performing enumeration and enabling communication with theexternal device1110.

In one embodiment, thesecurity device1210 includes a programmable hardware appliance capable of enforcing security policies to protect against malicious code such as viruses, spyware, adware, Trojan Horses, etc. and to protect against transfer of private data. In one embodiment, thesecurity device1210 is configured to protect both thehost1205 and the external device1215. In one embodiment, thesecurity device1210 is configured to protect only one of theexternal device1110 or thehost1205. Additional details of thesecurity device1210 are provided with reference toFIGS. 13 and 14.

FIG. 13 is a block diagram illustrating details of thesecurity device1210, in accordance with an embodiment of the present invention. Thesecurity device1210 includes aprocessor1305, such as an Intel Pentium® microprocessor or a Motorola Power PCX microprocessor, coupled to acommunications channel1315. Thesecurity device1210 further includes anED plug1230, anED port1235, acommunications interface1310,storage1320 such as an EEPROM, andmemory1325 such as Random-Access Memory (RAM) or Read Only Memory (ROM), each coupled to thecommunications channel1315. Thecommunications interface1310 may be coupled to a network such as the internet. One skilled in the art will recognize that, although thestorage1320 andmemory1325 are illustrated as different units, thedata storage device1320 andmemory1325 can be parts of the same unit, distributed units, virtual memory, etc. The term “memory” herein is intended to cover all data storage media whether permanent or temporary. One skilled in the art will recognize that thesecurity device1210 may include additional components, such as network connections, additional memory, additional processors, LANs, input/output lines for transferring information across a hardware channel, the internet or an intranet, etc.

As shown,memory1325 stores anoperating system1330 such as the Microsoft Windows XP, the IBM OS/2 operating system, the MAC OS, Unix OS, Linux OS, etc. It will be appreciated that a preferred embodiment may also be implemented on platforms and operating systems other than those mentioned. An embodiment may be written using JAVA, C, and/or C++ language, or other programming languages, possibly using object oriented programming methodology. Thememory1325 also storesED drivers1245 and asecurity system1335. TheED drivers1245 may include standard drivers for standardexternal devices1110 and proprietary drivers for proprietaryexternal devices1110. TheED drivers1245 may be transferred onto thememory1325 viaED plug1230. Thesecurity system1335 includes code for enforcing security policies on data transfer actions between thehost1205 andexternal device1110.

FIG. 14 is a block diagram illustrating details of asecurity system1335, in accordance with an embodiment of the present invention. Thesecurity system1335 includes asecurity manager1405,security engines1410,security policies1415, andsecurity data1420.

In one embodiment, thesecurity manager1405 includes code for performing enumeration, namely, to identify theexternal device1110 orexternal device1110 type and to identify thecorresponding ED driver1245 capable of establishing communication between thesecurity device1210 and theexternal device1110. Thesecurity manager1405 also includes code to control execution of thevarious security engines1410 based on thesecurity policies1415 andsecurity data1420 to evaluate data transfer requests or other device requests. Further, thesecurity manager1405 includes code to communicate with thehost1205, which will be the source of the data transfer and/or other requests.

In one embodiment, thesecurity engines1410 includes code for securing the transfer of data between thehost1205 and theexternal device1110 based on thesecurity policies1415 andsecurity data1420. Thesecurity engines1410 may include firewalls, antivirus, antispyware, malicious content filtering, multilayered security monitors, Java and bytecode monitors, etc. Thesecurity engines1410 may also include data privacy modules to enforcedata privacy policies1415. Eachsecurity engine1410 may have dedicatedsecurity policies1415 andsecurity data1420 to indicate which procedures, URLs, system calls, content, ID, etc. the data requested for transfer may contain or whether the data requested for transfer is considered nontransferable (or nontransferable without additional security measure such as a password and ID).

To provide a higher security level, thesecurity engines1410 may implement content analysis and risk assessment algorithms. In one embodiment, asecurity engine1410 assigns a weight and rank for every transfer object based on its type, complexity, richness in abilities, source, etc. Thesecurity engine1410 may assign weight based on the source using a list of known dangerous or known safe sources. Thesecurity engine1410 may assign weight to objects based on the category of the source, e.g., a gambling source, an adult content source, a news source, a reputable company source, a banking source, etc. Thesecurity engine1410 may calculate the weight, and based on the result determine whether to allow or disallow access to the content, the script to run, the system modification to occur, etc. Thesecurity engine1410 may “learn” user content (by analyzing for a predetermined period of time the general content that the user accesses) and accordingly may create personal content profiles. The personal content profile may be used to calibrate the weight assigned to content during runtime analysis to improve accuracy and tailor weighted risk analysis for specific user characteristics.

Thus, upon receiving a data transfer and/or other request from thehost1205, thesecurity manager1405 will launch theappropriate security engines1410 based on thesecurity policies1415. For example, thesecurity policies1415 may be configured not to allow specific ActiveX controls to be loaded from thehost1205 onto theexternal device1110. Thesecurity policies1415 may be configured not to allow data transfer from private folders on thehost1205 to theexternal device1110. Thesecurity manager1405 will launch theappropriate security engines1410 to assure that theseexample security policies1415 are met. Further, thesecurity engines1410 may usesecurity data1420, which may include definition files of malicious ActiveX controls, locations of private folders, etc.

Although not shown, thesecurity system1335 may include additional components such as thepreboot flash520 with OS and applications, theremote management module550, thedistribution module555, and thebackup module560 discussed above with reference toFIG. 5. Other components are also possible.

FIG. 15 is a block diagram illustrating a securedata exchange system1500, in accordance with another embodiment of the present invention. The securedata exchange system1500 includes asecurity device1505 communicatively coupled to thehost1520 via anED plug1515 on thesecurity device1505 and afirst ED port1525 on thehost1520. The securedata exchange system1500 also includes anexternal device1110 communicatively coupled to thehost1520 via theED plug1120 on theexternal device1110 and asecond ED port1535 on thehost1520.

Because theexternal device1110 is not directly coupled to thesecurity device1505, thesecurity device1505 is not physically intercepting the data transfer requests between theexternal device1110 and thehost1520. Accordingly, in this embodiment, thehost1520 includes aredirect driver1530, which is configured to redirect data transfer requests between theexternal device1110 and thehost1520 regardless of data transfer direction. In one embodiment, thesecurity device1505 may be configured to protect only one of theexternal device1110 or thehost1520. Further, in one embodiment, thesecurity device1505 does not contain any ED drivers, e.g.,ED drivers1245.

In one embodiment, if thesecurity device1505 is not coupled to thehost1520, thehost1520 uses theED drivers1540 to communicate with theexternal device1110. In one embodiment, thehost1520 is configured not to communicate with theexternal device1110 until thesecurity device1505 is coupled to thehost1520. In one embodiment, thehost1520 uses theED drivers1540 to communicate with theexternal device1110 only if additional security measures are taken, such as receipt of a password and ID, or until thesecurity device1505 is coupled to thehost1520.

In one embodiment, thehost1520 may conduct enumeration of thesecurity device1505 upon connection of thesecurity device1505 to theED port1525. Upon identifying thesecurity device1505 orsecurity device1505 type, thehost1520 may initiate theredirect driver1530 to redirect all data transfer requests or otherexternal device1110 requests from allother ED ports1535 to thesecurity device1505. In one embodiment, theredirect driver1530 only accepts data transfer requests from thesecurity device1505, which presents the requests of theexternal device1110 as a proxy. In one embodiment, theredirect driver1530 performs data transfer requests received from theexternal device1110 only after thesecurity device1505 has conducted its check and given its authorization. Other protocols are also possible.

FIG. 16 is a flowchart illustrating amethod1600 of secure data exchange between a host and an external device, in accordance with an embodiment of the present invention. Themethod1600 begins instep1605 with thesecurity device1505 being connected to thefirst ED port1525 of thehost1520. Theexternal device1110 instep1610 is connected to thesecond ED port1535 of thehost1520. Thehost1505 instep1615 performs enumeration techniques to identify thesecurity device1505 and theexternal device1110 and to install theappropriate drivers1530/1540 to enable communication with thesecurity device1505 and theexternal device1110. Theredirect driver1530 instep1620 receives a data transfer request from either thehost1505 to theexternal device1110 or from theexternal device1110 to thehost1505. Theredirect driver1530 instep1625 redirects the data transfer request to thesecurity device1505, which instep1630 enforces its security policies (antivirus, antispyware, anti-adware, data privacy, etc.) on the data transfer request. Thesecurity device1505 instep1635 determines whether the data transfer request passes the security policies. If so, then thesecurity device1505 instep1640 authorizes the data transfer request and thehost1520 instep1645 performs the data transfer request. If not, then thesecurity device1505 instep1650 rejects the data transfer request.Method1600 then ends.

It will be appreciated that, in one embodiment, thesecurity device1210/1505 may be implemented as part of thehost1205/1520, e.g., within the housing of thehost1205/1520 and/or as a security procedure executed by thehost1205/1520.

Dynamic Isolation

FIG. 17 shows a priorart network system1700 having a hardware-based firewall. Thenetwork system1700 includesinternal computers1705aand1705b, a first network interface card (NIC)1710, a hardware-basedfirewall1715 that performs network address translation (NAT), asecond NIC1720, an external network1725 (such as the Internet), andexternal computers1730aand1730b.

Thefirewall1715 is a hardware-based firewall, such as Check Point FW-1 or Cisco PIX. The firewall uses two different network ports (thefirst NIC1720 and the second NIC1720) to separate and isolate theinternal computers1705aand1705bfrom theexternal network1720. Thefirewall1715 uses network address translation (NAT) to translate the Internet Protocol (IP) address of theinternal computer1705a(denoted as IP address x) and the IP address of theinternal computer1705b(denoted as IP address y) into a public IP address z, thus hiding the IP addresses of theinternal computers1705aand1705b. Thefirewall1715 performs a similar translation on the Media Access Control (MAC) addresses of theinternal computers1705aand1705b.

Thenetwork system1700 provides a higher level of security than PC software-based firewalls (such as Microsoft Windows Personal Firewall and Check Point ZoneAlarm) running on theinternal computers1705aand1705bthemselves, since PC software-based firewalls do not hide the IP and MAC addresses of the internal computers.

FIG. 18 shows a priorart network system1800 having a software-based firewall. Thenetwork system1800 includes an external network1805 (such as the Internet), one or more NICs1810 (denoted as1810a,1810b, . . .1810n), a Network Driver Interface Specification (NDIS)driver1815 that acts as an interface between layer 2 (the data link layer) and layer 3 (the network layer), an intermediate driver1820 (such as MINIPort in the Microsoft Windows operating system), a software-basedfirewall1825, anoperating system1830, and one or more applications1835 (denoted as1835a,1835b, . . .1835m). Theoperating system1830 contains a TCP/IP protocol suite1840.

In operation, theintermediate driver1820 directs traffic arriving from the NICs1810 andNDIS driver1815 to the software-basedfirewall1825. The software-basedfirewall1825 decides what to do with the traffic (allow, deny, or reject) and permits only the allowed traffic to proceed to theoperating system1830.

Thenetwork system1800 does not use a hardware-based firewall. Only one of the NICs1810 needs to be used at any given time. However, the IP and MAC addresses of the NICs1810 (which are visible to the external network1805) are the same IP and MAC addresses that are viewed and used by the applications1835 (i.e., there is no address isolation between the applications1835 and the external network1805).

FIG. 19 shows anetwork system1900 that performs dynamic address isolation, in accordance with an embodiment of the present invention. Thenetwork system1900 includes an external network1905 (such as the Internet), one or more NICs1910 (denoted as1910a,1910b, . . .1910n), anNDIS driver1915 that acts as an interface between layer 2 (the data link layer) and layer 3 (the network layer), anintermediate driver1920, a software-based or hardware-basedfirewall1925, anoperating system1930, and one or more applications1935 (denoted as1935a,1935b, . . .1935m). Theoperating system1930 contains the TCP/IP protocol suite1940. Theintermediate driver1920 includes aNAT engine1945, which contains a translations table for IP and MAC addresses.

The NICs1910,NDIS driver1915,intermediate driver1920,firewall1925,operating system1930, and applications1935 may be installed in amobile device310. Thefirewall1925 may be anexternal firewall1925 connected to theintermediate driver1920 by a Universal Serial Bus (USB) connection, a wireless connection, or another network wire connection. For example, thefirewall1925 may be part of themobile security system345.

In operation, theintermediate driver1920 receives all data packets arriving from the NICs1910 andNDIS driver1915, and routes each data packet to theNAT engine1945. TheNAT engine1945 uses Dynamic Host Configuration Protocol (DHCP) to dynamically isolate the IP addresses of the applications1935 from theexternal network1905. As shown inFIG. 19, thedynamic NAT engine1945 translates the IP address of the application1935 (IP address x) to a different IP address (IP address z) while interfacing with the NIC, and translates the IP address z back to the IP address x when sending data to theoperating system1930. Thus, theintermediate driver1920 provides IP address z to theexternal network1905, while isolating IP address x from the external network. TheNAT engine1945 performs a similar translation on MAC addresses, if necessary. As shown, theNAT engine1945 is part of theintermediate driver1920. However, one skilled in the art will recognize that theNAT engine1945 may be located elsewhere, e.g., on themobile security system345, part of thefirewall1925, etc.

After theNAT engine1945 translates the IP address, theintermediate driver1920 directs each data packet to thefirewall1925. Thefirewall1925 decides what to do with each data packet (allow, deny, or reject) and permits only the allowed data packets to proceed to theoperating system1930. Theintermediate driver1920 receives each allowed data packet back from thefirewall1925 and routes each allowed data packet to an application1935.

For outgoing data packets, theintermediate driver1920 receives each data packet from the application1935 and routes each data packet to theNAT engine1945. TheNAT engine1945 translates the IP and/or MAC address associated with the data packet as described above. Theintermediate driver1920 then receives each data packet (containing the translated IP and/or MAC address) back from theNAT engine1945 and routes each data packet to theexternal network1905.

In this way, thenetwork system1900 is able to isolate the IP and MAC addresses of internal computers/applications from theexternal network1905, while not requiring the use of a hardware-based firewall or more than one NIC. Network isolation and separation is achieved even if the firewall lacks more than one NIC.

Thus, a connection between amobile security system345 and amobile device310 may be implemented while using the principles of NAT and DHCP, so that end-user applications running on themobile device310 will “see” protected virtual IP and MAC addresses, while devices connected to the external network see different physical IP and MAC addresses. The present invention provides similar protection and IP hiding that a hardware-based firewall having two network ports (internal and external) provides to a mobile device, but without the need to use a hardware-based firewall and two or more network ports.

FIG. 23 is a flowchart of amethod2300 of routing a data communication from an external network (such as the external network1905) to an application (such as application1935), in accordance with an embodiment of the present invention. Instep2305, a NIC (such as NIC1910) receives a data communication from the external network. Data specifying an external IP address and an external MAC address are embedded in the data communication. Instep2310, the data communication is routed to an intermediate driver (such as the intermediate driver1920), which in turn routes the data communication to a NAT engine (such as the NAT engine1945). The NAT engine contains a translations table for IP and MAC addresses.

Instep2315, the NAT engine uses DHCP to translate the external IP and MAC addresses embedded in the data communication into internal IP and MAC addresses. The NAT engine then substitutes the internal IP and MAC addresses for the external IP and MAC addresses in the data communication. In this way, the IP and MAC addresses of internal computers/applications are isolated from the external network.

Instep2320, the intermediate driver routes the data communication to a firewall (such as the firewall1925). Instep2325, the firewall analyzes the data communication for malicious code. Instep2330, the firewall decides what to do with the data communication. If the data communication was found to contain malicious code, then themethod2300 proceeds to step2335. Instep2335, the firewall rejects the data communication and prevents it from proceeding to the application. Themethod2300 then ends.

If the data communication was not found to contain malicious code, then themethod2300 proceeds to step2340. Instep2340, the firewall allows the data communication. The intermediate driver receives the data communication back from the firewall and routes the data communication to the application. Themethod2300 then ends.

FIG. 24 is a flowchart of amethod2400 of routing a data communication from an application (such as application1935) to an external network (such as the external network1905), in accordance with an embodiment of the present invention. Instep2405, the application initiates a data communication. The application may embed data specifying an internal IP address and an internal MAC address in the data communication. In other embodiments, the internal IP address and the internal MAC address may be embedded by an operating system (such as the operating system1930).

Instep2410, the data communication is routed to an intermediate driver (such as the intermediate driver1920), which in turn routes the data communication to a NAT engine (such as the NAT engine1945). The NAT engine contains a translations table for IP and MAC addresses. Instep2415, the NAT engine uses DHCP to translate the internal IP and MAC addresses embedded in the data communication into external IP and MAC addresses. The NAT engine then substitutes the external IP and MAC addresses for the internal IP and MAC addresses in the data communication. In this way, the IP and MAC addresses of internal computers/applications are isolated from the external network.

Instep2420, the internal driver routes the data communication to the external network via a NIC (such as NIC1910). Themethod2400 then ends.

Hybrid Firewall

FIG. 20 shows a priorart network system2000 having separate network and personal firewalls. Thenetwork system2000 includes an external network2005 (such as the Internet), anetwork firewall2010, and personal computers2015 (denoted as2015a,2015b, etc.). Thenetwork firewall2010 may reside on an external device or computer. Thenetwork firewall2010 comprises afirst NIC2020, aNAT gateway2025 and asecond NIC2030. Each personal computer2015 comprises a personal firewall2035 (denoted as2035a,2035b, etc.) and an application2040 (denoted as2040a,2040b, etc.).

In operation, thenetwork firewall2010 uses theNAT gateway2025 to translate the IP address of thepersonal computer2015a(denoted as IP address x) and the IP address of the personal computer2015b(denoted as IP address y) into a public IP address z, and thus hide the IP addresses of thepersonal computers2105. Thenetwork firewall2010 performs a similar translation on the MAC addresses of the personal computers2015. Thenetwork firewall2010 also performs security measures such as antivirus, anti-spyware, anti-adware, etc. Because thenetwork firewall2010 is earlier in the network than the personal firewall2035, it can stop malicious code before it enters thesystem2000. However, because thenetwork firewall2010 is application insensitive and at a lower layer of the information stack, its processes for malicious code detection are limited.

The personal firewall2035 also performs security measures such as antivirus, anti-spyware, anti-adware, etc. Because the personal firewall2035 is application sensitive and at a higher layer of the information stack, its processes for malicious code detection can be more thorough and focused.

FIG. 21 shows anetwork system2100 comprising ahybrid firewall2110 in accordance with an embodiment of the present invention. Thenetwork system2100 includes an external network2105 (such as the Internet), a hybrid network/personal firewall2110, and personal computers2115 (denoted as2115a,2115b, etc.).

Thehybrid firewall2110 may reside on an external device or computer. In other embodiments, thehybrid firewall2110 may reside on themobile security system345, shown inFIGS. 10A-10C. Thehybrid firewall2110 comprises afirst NIC2120, aNAT engine2125 and asecond NIC2130.

Each personal computer2115 comprises an agent2135 (denoted as2135a,2135b, etc.) and one or more applications2140 (denoted as2140a,2140b, etc.). As shown inFIG. 21, thenetwork system2100 comprises only two personal computers2115, but in other embodiments thenetwork system2100 may comprise more than two personal computers.

In operation, thehybrid firewall2110 uses theNAT engine2125, which contains a translations table for IP and MAC addresses, to translate the IP address of thepersonal computer2115a(denoted as IP address x) and the IP address of the personal computer2115b(denoted as IP address y) into a public IP address z, and thus hide the IP addresses of the personal computers. Thenetwork firewall2110 performs a similar translation on the MAC addresses of the personal computers2115.

The hybrid firewall210 is capable of performing both the network firewall and personal firewall security measures. Because thehybrid firewall2010 is at the same level as the traditional network firewall2035, it can stop malicious code before it enters thesystem2100. Further, because thehybrid firewall2110 is application sensitive, thehybrid firewall2110 can perform the processes of the traditional personal firewall2035.

To enable thehybrid firewall2110 to be application sensitive, the agents2135 send packets of data to thehybrid firewall2110, each packet comprising data identifying the application2140 associated with the packet. Because each packet comprises data identifying the application2140 that is associated with the packet, thehybrid firewall2110 can act as a personal firewall2035 to handle application-level security. Then, thehybrid firewall2110 can transmit a subset of the data packets, by extracting at least the application-identifying data, to theexternal network2105.

FIG. 22 shows anetwork system2200 comprising ahybrid firewall2210 and configured according to the embodiment of the present invention shown inFIG. 10A. Thenetwork system2200 includes an external network2205 (such as the Internet), a hybrid network/personal firewall2210, and amobile device2215.

Thehybrid firewall2210 may reside on an external device in a pocket-size, handheld-size, keychain-size, or possibly smaller housing. Thehybrid firewall2210 comprises an ED plug2245 (such as a USB plug) for communicating with an ED port2230 (such as a USB port) contained within themobile device2215. Thehybrid firewall2210 also comprises aNAT engine2225. In other embodiments, thehybrid firewall2210 may be installed in themobile device2215, or connected to themobile device2215 by a wireless or another network wire connection.

Themobile device2215 comprises a NIC220, theED port2230, anagent2235, one ormore applications2240, and an intermediate driver2250 (such as MINIPort in the Microsoft Windows operating system). As shown inFIG. 22, thenetwork system2200 comprises only onemobile device2215 andhybrid firewall2210, but in other embodiments thenetwork system2200 may comprise more than one mobile device and hybrid firewall.

In operation, theintermediate driver2250 directs traffic arriving from theNIC2220 to thehybrid firewall2210 via theED port2230 andED plug2245. Thehybrid firewall2210 decides what to do with the traffic (allow, deny, or reject) and permits only the allowed traffic to proceed to anapplication2240.

Thehybrid firewall2210 uses theNAT engine2225, which contains a translations table for IP and MAC addresses, to translate the IP address of themobile device2215 into a public IP address, and thus hide the IP address of themobile device2215. Thehybrid firewall2210 performs a similar translation on the MAC address of themobile device2215.

Theapplication2240 can send packets of data via theED port2230 and ED plug2235 to thehybrid firewall2210 for transmission to theexternal network2205. Theagent2235 associates data identifying theapplication2240 with the packets of data that are sent to thehybrid firewall2210. Each packet thus comprises data identifying theapplication2240 associated with the packet. Because each packet comprises data identifying theapplication2240 associated with the packet, thehybrid firewall2210 can act as a personal firewall to handle application security.

FIG. 25 is a flowchart of amethod2500 of routing a data communication from an external network (such as theexternal network2105 or2205) to an application (such as application2140 or2240), in accordance with an embodiment of the present invention. Instep2505, a NIC (such asNIC2120 or2220) receives a data communication from the external network. Data specifying an external IP address and an external MAC address are embedded in the data communication. Instep2510, the data communication is routed to a hybrid network/personal firewall (such as thefirewall2110 or2210) that comprises a NAT engine (such as theNAT engine2125 or2225) containing a translations table for IP and MAC addresses. The hybrid firewall is at the same level as a traditional network firewall and is application sensitive.

Instep2515, the NAT engine uses DHCP to translate the external IP and MAC addresses embedded in the data communication into internal IP and MAC addresses. The NAT engine then substitutes the internal IP and MAC addresses for the external IP and MAC addresses in the data communication. In this way, the IP and MAC addresses of internal computers/applications are isolated from the external network.

Instep2520, the hybrid firewall associates the data communication with an application. The hybrid firewall makes this association based upon data packets previously received by the firewall that comprised application-identifying information.

Instep2525, the hybrid firewall analyzes the data communication for malicious code. Because the hybrid firewall is at the same level as a traditional network firewall, it can stop malicious code before it reaches a computer (such as computer2115 or2215). Further, because the hybrid firewall is application sensitive, the hybrid firewall can perform the function of a traditional personal firewall to handle application-level security.

Instep2530, the firewall decides what to do with the data communication. If the data communication was found to contain malicious code, then themethod2500 proceeds to step2535. Instep2535, the firewall rejects the data communication and prevents it from proceeding to the application. Themethod2500 then ends.

If the data communication was not found to contain malicious code, then themethod2500 proceeds to step2540. Instep2540, the firewall allows the data communication, and the data communication is routed to the application. Themethod2500 then ends.

FIG. 26 is a flowchart of amethod2600 of routing a data communication from an application (such as application2140 or2240) to an external network (such as theexternal network2105 or2205), in accordance with an embodiment of the present invention. Instep2605, the application initiates a data communication. The application may embed data specifying an internal IP address and an internal MAC address in the data communication. In other embodiments, the internal IP address and the internal MAC address may be embedded by an operating system or by an agent (such as the agent2135 or2235) running on a computer.

Instep2610, data identifying the application is embedded in the data communication. This step may be performed by the application, by an operating system, or by an agent (such as the agent2135 or2235) running on a computer. In one embodiment, an agent running on the same computer as the application creates packets of data, each packet comprising data identifying the application associated with the packet. Because each packet comprises data identifying the application that is associated with the packet, a downstream hybrid firewall (such as thefirewall2110 or2210) can act as a personal firewall to handle application-level security.

Instep2615, the data communication is routed to a hybrid network/personal firewall (such as thefirewall2110 or2210) that comprises a NAT engine (such as theNAT engine2125 or2225) containing a translations table for IP and MAC addresses. The hybrid firewall is at the same level as a traditional network firewall and is application sensitive.

Instep2620, the hybrid firewall extracts and removes the application-identifying information from the data communication. Instep2625, the NAT engine uses DHCP to translate the internal IP and MAC addresses embedded in the data communication into external IP and MAC addresses. The NAT engine then substitutes the external IP and MAC addresses for the internal IP and MAC addresses in the data communication. In this way, the IP and MAC addresses of internal computers/applications are isolated from the external network.

Instep2630, the data communication (minus data identifying the application, internal IP address, and internal MAC address) is routed to the external network via a NIC (such asNIC2120 or2220). Themethod2600 then ends.

The foregoing description of the preferred embodiments of the present invention is by way of example only, and other variations and modifications of the above-described embodiments and methods are possible in light of the foregoing teaching. Although the network sites are being described as separate and distinct sites, one skilled in the art will recognize that these sites may be a part of an integral site, may each include portions of multiple sites, or may include combinations of single and multiple sites. The various embodiments set forth herein may be implemented utilizing hardware, software, or any desired combination thereof. For that matter, any type of logic may be utilized which is capable of implementing the various functionality set forth herein. Components may be implemented using a programmed general purpose digital computer, using application specific integrated circuits, or using a network of interconnected conventional components and circuits. Connections may be wired, wireless, modem, etc. The embodiments described herein are not intended to be exhaustive or limiting. The present invention is limited only by the following claims.

Claims (12)

The invention claimed is:

1. A storage device storing program code, the program code comprising:

a network interface communicatively between an external network and an internal network, the network interface coupled to receive incoming network packets from and transmit outgoing network packets to the external network, each of the incoming network packets and the outgoing network packets being associated with a public address;

a network address translation engine configured to translate between the public address and an application address associated with an application, the application being on the internal network; and

a driver coupled to the network interface, the driver configured to forward outgoing application packets to the network address translation engine, the outgoing application packets being associated with the application address, the network address translation engine configured to translate the application address of the outgoing application packets to the public address and assist in generating the outgoing network packets, and configured to forward the incoming network packets to the network address translation engine to translate the public address to the application address and assist in generating incoming application packets;

the driver configured to transmit the incoming application packets to a security engine configured to reject the incoming application packets if the incoming application packets are deemed to include or potentially include malicious content according to a mobile device security policy, and to allow the incoming application packets to be forwarded to the application if the incoming application packets have not been deemed to include or potentially include malicious content according to the mobile device security policy, the driver being configured to provide information identifying the application to the security engine, the security engine being configured to handle both network-level security and application-level security.

2. The storage device ofclaim 1, wherein the network address translation engine is part of the driver.

3. The storage device ofclaim 1, wherein the network address translation engine is part of the security engine.

4. The storage device ofclaim 3, wherein the security engine is located on a mobile security system configured to implement the mobile device security policy.

5. The storage device ofclaim 1, wherein the network address translation engine is configured to use Dynamic Host Configuration Protocol to translate the application address to the public address and the public address to the application address.

6. A system, comprising:

a network interface communicatively between an external network and an internal network, the network interface coupled to receive incoming network packets from the external network, the incoming network packets being associated with a public address, each incoming network packet being associated with one of the one or more applications, each incoming network packet comprising information configured to assist in identifying the application associated with the incoming network packet;

a security engine in communication with the network interface, the security engine configured to handle both network-level security and application-level security;

a driver in communication with the security engine and with one or more applications, the one or more applications being associated with at least one application address, the one or more applications being on the internal network; and

a network address translation engine configured to translate the public address associated with the incoming network packets to the at least one application address of the one or more applications and assist in generating incoming application packets, and configured to translate the at least one application address of the one or more applications associated with outgoing application packets to the public address, thereby dynamically isolating the one or more applications from the external network;

the security engine being configured to:

reject at least one of the incoming application packets if one or more of the incoming application packets are deemed to include or potentially include malicious content according to a mobile device security policy; and

allow the at least one of the incoming application packets to pass to the one or more applications if the one or more of the incoming application packets are not deemed to include or potentially include malicious content according to the mobile device security policy.

7. The system ofclaim 6, wherein the security engine is configured to use the information configured to assist in identifying the application associated with the incoming network packet to handle application-level security.

8. The system ofclaim 6, wherein the security engine comprises the network address translation engine.

9. The system ofclaim 6, wherein the network address translation engine is configured to use Dynamic Host Configuration Protocol.

10. A method of processing incoming data packets, the method comprising:

receiving incoming network packets from an external network, the incoming network packets associated with a public address;

translating the public address of the incoming network packets into an application address associated with an application, the application being on an internal network;

generating incoming application packets based on the incoming network packets and on the application address;

providing the incoming application packets and information identifying the application to a security engine, the security engine configured to implement a mobile device security policy for evaluating the incoming application packets for malicious code, the security engine configured to handle both network-level and application-level security;

rejecting at least one of the incoming application packets if one or more of the incoming application packets are deemed to include or potentially include the malicious code according to the mobile device security policy; and

allowing the at least one of the incoming application packets to pass to the application if the one or more of the incoming application packets are deemed not to include or potentially include the malicious code according to the mobile device security policy.

11. The method ofclaim 10, further comprising evaluating the incoming application packets for the malicious code at both the network level and the application level.

12. The method ofclaim 10, wherein the translating includes using Dynamic Host Configuration Protocol.

Images